1 · Cookie Playground

Set real cookies on this page with chosen attributes, then see the raw document.cookie string and a parsed table. (Note: JavaScript can't set HttpOnly — only a server can.)

document.cookie (raw string)
Parsed cookies on this page

2 · Why HttpOnly Matters

The server can set cookies JavaScript can never read. Below: a "server jar" holds a session marked HttpOnly. The "JavaScript view" (document.cookie) simply can't see it — so an XSS payload can't steal it. Click to simulate an XSS read.

🖧 Server's view (all cookies)

__Host-session = a1b2c3… HttpOnly
theme = dark
lang = en

🌐 JavaScript view (document.cookie)

__Host-session = ??? HttpOnly — invisible
theme = dark
lang = en
Click the button to see what an attacker would capture…

3 · Cookie vs localStorage vs sessionStorage

Write the same key to all three and compare behavior. Cookies travel to the server on every request; Web Storage stays on the client. Try reloading or closing the tab to see persistence differences.

StoreCurrent valueSent to server?Survives tab close?
Cookie✅ yes✅ if Max-Age set
localStorage❌ no✅ yes
sessionStorage❌ no❌ no

4 · SameSite & CSRF Explainer

Will the cookie be attached to a request? It depends on the SameSite value and the request context. Pick a value to see which scenarios send the cookie (and how that blocks CSRF).